http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057878
By Jaikumar Vijayan
January 21, 2008
Computerworld
More than 80,000 Web sites worldwide display a small green logo that
proclaims them to be "Hacker Safe." The logo is provided to them by
ScanAlert Inc., a vendor that scans the sites of its clients daily in
search of security vulnerabilities.
ScanAlert's logo is the most widely used security seal of its kind on
the Web, and it can be found on dozens of marquee-brand sites, including
those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment
Inc. Such widespread use attracted the attention of security vendor
McAfee Inc., which in late October agreed to acquire ScanAlert.
But Napa, Calif.-based ScanAlert was put on the defensive this month
after online technology retailer Geeks.com warned an undisclosed number
of customers that their personal and credit card data may have been
compromised in a hacking incident. Geeks.com, whose formal name is
Genica Corp., displays the Hacker Safe logo at the bottom of its home
page.
A ScanAlert spokesman said "preliminary evidence" suggests that the
breach likely occurred during one of several periods last year when
ScanAlert had withdrawn its certification from Geeks.com after finding
vulnerabilities on the Web site.
Even so, the incident at Geeks.com has rekindled a debate about the
value of security seals such as the Hacker Safe logo.
ScanAlert users say that the scanning service can sniff out at least
some security problems and that the logo is a valuable marketing tool
for them.
On the other hand, ScanAlert's detractors say the service can give
companies and their online customers a false sense of security. Indeed,
hacker groups have claimed that they have targeted and broken into
numerous Web sites displaying the Hacker Safe logo.
"Hacker Safe seals are completely ludicrous," said David Kennedy, who
heads SecureState LLC's profiling and e-discovery practice. SecureState
is a consulting firm in Cleveland that offers security risk assessment
services and does manual penetration testing of systems and networks for
its clients.
ScanAlert's automated probes offer a "very basic form of vulnerability
identification," Kennedy claimed. They focus more on spotting network
vulnerabilities than on detecting harder-to-find Web application flaws,
such as SQL injection and cross-site scripting vulnerabilities, he said.
"Web applications are very dynamic and ever-changing," whereas
vulnerability scans rely on static information to identify security
issues, Kennedy said. He noted that after being asked to do security
assessments by 10 companies with Hacker Safe logos on their Web sites,
SecureState was able to break into nine of the sites and easily access
financial and customer data.
Adriel Desautels, chief technology officer at Netragard LLC, a Mendham,
N.J.-based company that offers manual vulnerability testing services,
said automated scans can be useful in ensuring that a Web site is
protected against known security flaws. "They make sure that network
security is not a complete disaster," he said.
But automated scans don't work as well with customized Web applications
and e-commerce environments, Desautels contended. And they do next to
nothing to test Web sites against less commonly known vulnerabilities,
he said, adding that those are the flaws most likely to be exploited by
black-hat hackers.
"We had a major financial institution customer that had passed an
automated vulnerability scan and intrusion testing," Desautels said.
"Everything appeared to be working, but then we came in and by the end
of the third day, [we] had penetrated 17 of their internal systems."
Tim Dowling, vice president of consumer growth initiatives at McAfee's
Web security group, said it's unreasonable and naive to expect any IT
security service to provide 100% protection against online threats.
"Hacker Safe is not perfect," Dowling acknowledged. But he said that
ScanAlert's service does help users defend their Web sites against
"thousands and thousands" of threats. And sites that sport the seal are
far more readily trusted by consumers than ones that don't, he claimed
-- a contention that was backed up by several ScanAlert users.
According to Dowling, a full 90% of the scans that ScanAlert performs on
a daily basis are automated. But in cases where sites fail the
vulnerability scans, the vendor may do manual penetration testing to
help its clients understand and correct security problems, Dowling said.
And contrary to the claims of Kennedy and Desautels, ScanAlert does look
for problems such as SQL injection and cross-site scripting flaws,
Dowling said.
He added that the date-stamped Hacker Safe seal is served and controlled
entirely by ScanAlert and is withdrawn any time a Web site fails to pass
the daily vulnerability scan. Since new vulnerabilities arise
frequently, Dowling said, it isn't uncommon for sites to lose and regain
their Hacker Safe status, as Geeks.com did last June and December.
The Hacker Safe service should be just one part of a multilayered
security strategy, said Jay Greenberg, director of e-commerce at Spencer
Gifts LLC, a novelty gifts retailer in Egg Harbor Township, N.J.
"This is one additional tool that you can utilize to help secure your
site," Greenberg said, adding that IT and Web site managers also "have
to be smart and diligent about making sure your developers are
monitoring and checking" for security flaws as well.
In addition to helping secure Web sites at the back end, ScanAlert's
service can boost sales by making consumers "feel comfortable" about
doing business on a site, Greenberg said.
Before joining Spencer Gifts, he worked for another company that was a
ScanAlert client. Greenberg said that to test how useful the Hacker Safe
logo was from a marketing standpoint, the company -- which he declined
to identify -- asked ScanAlert to make the seal visible to only about
half of the visitors to its Web site. The test showed that more of the
people who could see the logo bought products, he said.
Jay Cline, president of Minnesota Privacy Consultants and former chief
privacy officer at hospitality industry conglomerate Carlson Companies
Inc., has been a ScanAlert customer for about a year. Using the Hacker
Safe service certainly doesn't guarantee that hackers will never be able
to break into a Web site, said Cline, who also is a Computerworld
columnist.
"What I'm buying is a service that keeps me safe from hackers that use
known vulnerabilities," Cline said. "I'm aware that there's still [other
risks] that I need to watch out for."
ScanAlert has helped identify security problems that might otherwise
have been missed, Cline said. For example, during the initial sign-up
process, a scan pointed him toward a cross-site scripting vulnerability
that resulted from the way in which his site was being hosted by an
external Web site developer.
A logo proclaiming that a site is safe from hackers could sometimes be
seen as an open invitation for malicious attackers to try to crack the
site, Cline acknowledged. But like Greenberg, he said that the Hacker
Safe seal can be a valuable tool for convincing consumers to complete
transactions and not be scared away by any security concerns.
"If you're looking for ROI, Hacker Safe on balance gives you more lift,"
Cline said.
Bill Cronin, manager of e-commerce at The Vermont Teddy Bear Co. in
Shelburne, Vt., also said that he has been able to justify the cost of
the ScanAlert service from a marketing standpoint.
When it comes to actually boosting the security of a Web site, though,
the benefits are somewhat less obvious, Cronin said. He added that
ScanAlert can help users identify some pretty obvious flaws that most IT
departments really should be finding on their own in the first place.
"If they're coming up with vulnerabilities on your site, you really
aren't doing your job as a security administrator," Cronin said. "The
technical side of me says there is limited use here from a security
perspective. The marketing guy in me says it's a no-brainer."
Eric Ogren, an independent consultant in Boston, said that the situation
isn't black and white, because the IT security industry has yet to
develop any metrics for measuring the effectiveness of different
vulnerability detection approaches.
It's hard to say for sure how effective ScanAlert's automated scans are,
Ogren said. But he added that it's equally hard to know if manual
penetration testing and vulnerability assessments are as useful and
scalable as their proponents claim.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn